Universal mobile telecommunication system (UMTS) is one of the dominant standards for wireless communication systems. UMTS uses an authentication and key agreement (AKA) protocol for security. The AKA is based on a global system for mobile communication (GSM) security architecture and represents a significant enhancement to it. Whereas the authentication process in GSM is one way where only the client is authenticated, UMTS requires that both a client and a network are mutually authenticated. A false base station attack, to which the GSM protocol is vulnerable, is largely, if not entirely, neutralized by the UMTS AKA protocol.
The AKA assumes the existence of a long-term shared secret key K between a universal subscriber identity module (USIM), (which is a part of the user equipment (UE)), and a network authentication center (AuC) which resides in the home environment (HE) of the network.
FIG. 1 is a signaling diagram of a conventional authentication procedure which is tightly tied to the UMTS AKA security structure 100. A UE 152 establishes a radio resource control (RRC) connection with a radio network controller (RNC) 156 (step 102). The UE 152 reveals its security capabilities to the RNC 156 during this RRC connection process. The UE 152 then sends a layer L3 message with a user identity (ID) to a visitor location register (VLR) 158 (step 104). A user is identified with the use of the international mobile subscriber identity (IMSI). The L3 message contains a key set identifier (KSI), a number which is associated with the cipher and integrity keys derived during authentication. The KSI is set to a default value when it is sent via the initial L3 message.
Under certain conditions, (e.g., if the user has not been authenticated), the VLR 158 requires an AKA and sends an authentication data request to a home location register (HLR) 160 (step 106). Upon receipt of the authentication data request, the HLR 160 sends a set of authentication vectors (AVs) to the VLR 158 (step 108).
Each AV contains quintet of numbers that includes a random number (RAND), an expected response (XRES) which is used to authenticate the user, a cipher key (CK) for establishing confidentiality, an integrity key (IK), and an authentication token (AUTN). The AUTN comprises a sequence number (SQN) hidden by an anonymity key (AK), an authentication management field (AMF) which specifies certain authentication components, (such as algorithms to be used, key lifetime, etc.), and a message authentication code (MAC) which is functionally dependent on the SQN, the AMF, and the RAND.
The VLR 158 sends the RAND and the AUTN from the first AV to the UE 152 (step 110). The UE 152 then authenticates the network by calculating the expected MAC (XMAC) and determining whether it matches the MAC (step 112). The UE 152 computes a response (RES) and sends the RES to the VLR 158 (step 114). The VLR 158 determines if the RES matches the XRES to authenticate the UE 152 (step 118). An authentication failure occurs if either of these authentication attempts fails at steps 112 and 118. The UE 152 computes the session keys, (i.e., the CK and IK in the AV) (step 116) which provide security for the current session only. The key generation is performed using predefined UMTS algorithms which take RAND as input and apply the shared secret key K.
Once mutual authentication has succeeded at steps 112 and 118, a local authentication procedure starts. This process requires the UE 152 and the VLR 158 to negotiate and determine which UMTS encryption algorithm (UEA) and UMTS integrity algorithm (UIA) to use (step 120) in the current session.
The VLR 158 sends a security mode command to the RNC 156 via a Node B 154, which includes the negotiated UEA and UIA, and the current sessions keys CK and IK (step 122). As secure communication can now begin the RNC 156 then sends the security mode command to the UE 152 with a message authentication code (MAC-I) (step 124). The MAC-I value protects the integrity of the security mode command message; MAC-I is a type of hash computed by UIA on the message's contents using the session key IK.
The UE 152 verifies the integrity of the received message by calculating a MAC-I in a similar mannor, using the UIA with key IK on the security mode command message's contents, and comparing it to the received MAC-I (step 126). If the authentication codes match the UE 152 sends a security mode complete message to the RNC 156 (step 128). This round trip exchange represents the first secure communication. The RNC 156 sends a security mode complete message to the VLR 158 confirming the selected UEA and UIA (step 130). Thus, secure communication (ciphering, deciphering, and integrity protection) begins assuming that all negotiations involving UEAs and UIAs are complete and authentication between the UE 152 and the VLR 158 is satisfied. Although integrity protection is required, communication may be performed without using confidentiality (encryption).
There is a difference between perfect secrecy and computational secrecy on which most modern crypto systems including all public-key systems rely. Modern crypto systems rely on the fact that it may be extremely difficult from a computational resource point of view to guess the crypto key. However, in most of these systems, once the correct guess is produced, it is very easy to verify that this is indeed the correct guess. This ability is what separates computational secrecy from “perfect secrecy.” Perfect secrecy means that even if the attacker guesses the key correctly, it will have no ability to determine that it has indeed done so.
Suppose that two parties (A and B) have an access to some sources of randomness, (X and Y), which at predetermined times (indexed by i) generate independent samples Xi, Yi. Suppose that A and B wish to generate a perfectly secret key by communicating over a public channel which an eavesdropper (E) has an access to. Moreover, E also has an access to another source of randomness, Z, generating independent samples Zi. The random source Z is presumably dependent on the random sources X and Y, but not as strongly as X and Y are cross-dependent on each other. Thus, A and B share some advantage over E through the stronger inter-dependence of their random sources. It has been shown that A and B can exploit this dependence to generate a perfectly secret random key.
In order to generate a perfectly secret key, A and B start by utilizing their joint randomness to establish a bit-string S′ whose inherent entropy from E's point of view is |S| bits with |S|≦|S′|. This is done using some number of public exchanges between A and B. In most cases a single unilateral exchange is sufficient. The exact nature of the exchange depends on the nature of the jointly-random sources (X,Y,Z). A and B then use another set of public exchanges to publicly agree on a function which transforms the sequence S′ into a perfectly secret key S.
While correlated random sources are a priori difficult to produce without prior communication, a wireless channel provides such a resource in the form of a channel impulse response (CIR). Specifically, in certain communications systems, two communicating parties, A and B, will measure a very similar CIR when communicating from A to B and from B to A, (e.g., time division duplex (TDD) systems). On the other hand, any party not physically co-located with A and B is likely to observe a CIR that has a very little correlation with that of A and B. This difference can be exploited for generation of perfectly secret keys. The channel is the source of joint randomness not shared with others (JRNSO) and the CIR measurements are the samples taken from the channel.
However, the rate at which such secret keys (bits) can be generated from the JRNSO provided by the wireless channel is typically low. Rates higher than kilobits per second of secret bits are not expected. In practice, the rate is significantly lower. Direct use of such bits for encryption, (e.g., via the one-time pad), results in either very low rates since no more than one bit of data per secret bit can be supported, or susceptible to attacks, (such as a frequency attack).
Therefore, it is desirable to provide a method for generating secret bits at a high rate and enhance encryption systems using a small amount of such shared randomness.